Zurich hit with £2.27 million data loss fine

The FSA has given Zurich UK a hefty fine following a data loss incident in 2008.

Zurich

Zurich Insurance's UK branch has been fined 2.275 million by the Financial Services Authority (FSA) following the loss of 46,000 customers' data.

Bank account and credit card information was lost by Zurich, along with identity details and information on insured assets and security arrangements.

The incident occurred in 2008 when the company's UK branch outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa (Zurich SA).

An unencrypted back-up tape was misplaced by Zurich SA during a standard transfer to a data centre.

Zurich UK did not learn about the loss until a year later as there were not any adequate reporting lines in place, the FSA said.

The regulatory body concluded Zurich UK did not have effective systems and controls in place to manage the risks involved in protecting customer data in relation to the outsourcing deal.

Furthermore, Zurich did not have sufficient protection in place to ensure lost data would not be used for financial crime, the FSA claimed.

"Zurich UK let its customers down badly," said Margaret Cole, the FSA's director of enforcement and financial crime.

"It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later."

Zurich's UK chief executive (CEO), Stephen Lewis, said: "This incident was unacceptable. It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data."

He also confirmed Zurich UK would be hiring an information security officer to ensure protection measures are effective.

The fine is the biggest financial penalty levied on a single organisation ever in the UK for a data security issue.

Had the firm not agreed to settle at an early stage of the investigation, the fine would have been 3.25 million.

To date, Zurich has not seen any evidence to suggest the lost data was compromised or used for criminal activities.

A sufficient deterrent?

Earlier this year, the Information Commissioner's Office (ICO) made Zurich's Lewis sign an undertaking to ensure whenever back-up tapes were in transit, the right data security procedures, such as encryption, would be in place.

This was before the ICO was able to fine up to 500,000 for data breaches, but Stewart Room, partner in Field Fisher Waterhouse's Privacy and Information Law Group, claimed this case highlighted the limited powers of the ICO.

"It does throw into relief, yet again, the adequacy of the 500,000 penalty for the information commissioner, where the FSA has already shown that it needs something that is at least four-and-a-half times as large," Room told IT PRO.

"This case demonstrates once again that what we need is a more unified approach to security but within regulation."

Room, who is also a director of the Cyber Security Challenge UK, called into question how far the FSA fine will go in acting as a deterrent.

"I don't believe that this fine will act as a wake up call to the financial services industry. Nor do I believe that the financial services industry will resolve all its problems now that this fine has been published," he added.

"I think the FSA will need to scale up fines considerably before it becomes such a deterrent effect."

Room also suggested Zurich's reputation will not be irrevocably damaged by the data security failings.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021